quasar | e5473833fb038cbdabc999603e62fb649050e727467e263e2ca90da92028a156

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-12-2024 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EnigmaSRC.exe
Size

3.3MB
MD5

bf4ca8258fd2f4df510aa046bbf7b21c
SHA1

79fe2a2cd3df7f83a44c33d2a061d588a8238c07
SHA256

e5473833fb038cbdabc999603e62fb649050e727467e263e2ca90da92028a156
SHA512

aa29baddc0854ab283b14ad2ef1de9bca806576dccfcce4d92675220f5f7f9c4c4a5c6f3f88b6316d765749c4845013ab674cbc1574e9e252d3e179dd0d48828
SSDEEP

49152:tvjt62XlaSFNWPjljiFa2RoUYI8qR16AbR30oGdUTHHB72eh2NT:tvx62XlaSFNWPjljiFXRoUYI8qR161

Score

10^/10

quasar enigma.sln discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Enigma.Sln

C:\Users\nigger>:4782

Mutex

79e05c67-893c-4161-b8aa-df3a5e2de8c8

Attributes

encryption_key
180D990AA3B58892A5FBAE1EDF8AAEDB00F4AF8E
install_name
host.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Visual Studios
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 12 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2472-1-0x0000000000990000-0x0000000000CE0000-memory.dmp	family_quasar
behavioral1/files/0x000800000001878c-6.dat	family_quasar
behavioral1/memory/2040-9-0x0000000000080000-0x00000000003D0000-memory.dmp	family_quasar
behavioral1/memory/2964-23-0x00000000010C0000-0x0000000001410000-memory.dmp	family_quasar
behavioral1/memory/1860-65-0x0000000000160000-0x00000000004B0000-memory.dmp	family_quasar
behavioral1/memory/2100-77-0x00000000001C0000-0x0000000000510000-memory.dmp	family_quasar
behavioral1/memory/2476-88-0x0000000000100000-0x0000000000450000-memory.dmp	family_quasar
behavioral1/memory/2772-99-0x0000000000B80000-0x0000000000ED0000-memory.dmp	family_quasar
behavioral1/memory/1684-121-0x0000000000960000-0x0000000000CB0000-memory.dmp	family_quasar
behavioral1/memory/1940-132-0x0000000000BF0000-0x0000000000F40000-memory.dmp	family_quasar
behavioral1/memory/2912-143-0x0000000000370000-0x00000000006C0000-memory.dmp	family_quasar
behavioral1/memory/1744-154-0x0000000000F50000-0x00000000012A0000-memory.dmp	family_quasar

Executes dropped EXE 16 IoCs

Processes:

host.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exe

pid	Process
2040	host.exe
2964	host.exe
2044	host.exe
1676	host.exe
3060	host.exe
1860	host.exe
2100	host.exe
2476	host.exe
2772	host.exe
2352	host.exe
1684	host.exe
1940	host.exe
2912	host.exe
1744	host.exe
2532	host.exe
2372	host.exe

Drops file in System32 directory 35 IoCs

Processes:

EnigmaSRC.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\SubDir\host.exe	EnigmaSRC.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File created	C:\Windows\system32\SubDir\host.exe	EnigmaSRC.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir	EnigmaSRC.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
1752	PING.EXE
2460	PING.EXE
3036	PING.EXE
1660	PING.EXE
3048	PING.EXE
1944	PING.EXE
2248	PING.EXE
1728	PING.EXE
2648	PING.EXE
280	PING.EXE
2564	PING.EXE
2800	PING.EXE
268	PING.EXE
2384	PING.EXE
2776	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
2648	PING.EXE
268	PING.EXE
1944	PING.EXE
2800	PING.EXE
2460	PING.EXE
2564	PING.EXE
3036	PING.EXE
280	PING.EXE
3048	PING.EXE
1728	PING.EXE
2776	PING.EXE
1660	PING.EXE
2248	PING.EXE
1752	PING.EXE
2384	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
1648	schtasks.exe
2128	schtasks.exe
2604	schtasks.exe
1144	schtasks.exe
2660	schtasks.exe
2480	schtasks.exe
2808	schtasks.exe
660	schtasks.exe
1240	schtasks.exe
2432	schtasks.exe
1992	schtasks.exe
2892	schtasks.exe
2056	schtasks.exe
2124	schtasks.exe
1956	schtasks.exe
1940	schtasks.exe
344	schtasks.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

EnigmaSRC.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exe

description	pid	Process
Token: SeDebugPrivilege	2472	EnigmaSRC.exe
Token: SeDebugPrivilege	2040	host.exe
Token: SeDebugPrivilege	2964	host.exe
Token: SeDebugPrivilege	2044	host.exe
Token: SeDebugPrivilege	1676	host.exe
Token: SeDebugPrivilege	3060	host.exe
Token: SeDebugPrivilege	1860	host.exe
Token: SeDebugPrivilege	2100	host.exe
Token: SeDebugPrivilege	2476	host.exe
Token: SeDebugPrivilege	2772	host.exe
Token: SeDebugPrivilege	2352	host.exe
Token: SeDebugPrivilege	1684	host.exe
Token: SeDebugPrivilege	1940	host.exe
Token: SeDebugPrivilege	2912	host.exe
Token: SeDebugPrivilege	1744	host.exe
Token: SeDebugPrivilege	2532	host.exe
Token: SeDebugPrivilege	2372	host.exe

Suspicious use of FindShellTrayWindow 16 IoCs

Processes:

host.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exe

pid	Process
2040	host.exe
2964	host.exe
2044	host.exe
1676	host.exe
3060	host.exe
1860	host.exe
2100	host.exe
2476	host.exe
2772	host.exe
2352	host.exe
1684	host.exe
1940	host.exe
2912	host.exe
1744	host.exe
2532	host.exe
2372	host.exe

Suspicious use of SendNotifyMessage 16 IoCs

Processes:

host.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exe

pid	Process
2040	host.exe
2964	host.exe
2044	host.exe
1676	host.exe
3060	host.exe
1860	host.exe
2100	host.exe
2476	host.exe
2772	host.exe
2352	host.exe
1684	host.exe
1940	host.exe
2912	host.exe
1744	host.exe
2532	host.exe
2372	host.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EnigmaSRC.exehost.execmd.exehost.execmd.exehost.execmd.exehost.execmd.exe

description	pid	Process	procid_target
PID 2472 wrote to memory of 1992	2472	EnigmaSRC.exe	30
PID 2472 wrote to memory of 1992	2472	EnigmaSRC.exe	30
PID 2472 wrote to memory of 1992	2472	EnigmaSRC.exe	30
PID 2472 wrote to memory of 2040	2472	EnigmaSRC.exe	32
PID 2472 wrote to memory of 2040	2472	EnigmaSRC.exe	32
PID 2472 wrote to memory of 2040	2472	EnigmaSRC.exe	32
PID 2040 wrote to memory of 2128	2040	host.exe	33
PID 2040 wrote to memory of 2128	2040	host.exe	33
PID 2040 wrote to memory of 2128	2040	host.exe	33
PID 2040 wrote to memory of 2276	2040	host.exe	35
PID 2040 wrote to memory of 2276	2040	host.exe	35
PID 2040 wrote to memory of 2276	2040	host.exe	35
PID 2276 wrote to memory of 2772	2276	cmd.exe	37
PID 2276 wrote to memory of 2772	2276	cmd.exe	37
PID 2276 wrote to memory of 2772	2276	cmd.exe	37
PID 2276 wrote to memory of 2776	2276	cmd.exe	38
PID 2276 wrote to memory of 2776	2276	cmd.exe	38
PID 2276 wrote to memory of 2776	2276	cmd.exe	38
PID 2276 wrote to memory of 2964	2276	cmd.exe	40
PID 2276 wrote to memory of 2964	2276	cmd.exe	40
PID 2276 wrote to memory of 2964	2276	cmd.exe	40
PID 2964 wrote to memory of 2808	2964	host.exe	41
PID 2964 wrote to memory of 2808	2964	host.exe	41
PID 2964 wrote to memory of 2808	2964	host.exe	41
PID 2964 wrote to memory of 2624	2964	host.exe	43
PID 2964 wrote to memory of 2624	2964	host.exe	43
PID 2964 wrote to memory of 2624	2964	host.exe	43
PID 2624 wrote to memory of 2216	2624	cmd.exe	45
PID 2624 wrote to memory of 2216	2624	cmd.exe	45
PID 2624 wrote to memory of 2216	2624	cmd.exe	45
PID 2624 wrote to memory of 2800	2624	cmd.exe	46
PID 2624 wrote to memory of 2800	2624	cmd.exe	46
PID 2624 wrote to memory of 2800	2624	cmd.exe	46
PID 2624 wrote to memory of 2044	2624	cmd.exe	47
PID 2624 wrote to memory of 2044	2624	cmd.exe	47
PID 2624 wrote to memory of 2044	2624	cmd.exe	47
PID 2044 wrote to memory of 660	2044	host.exe	48
PID 2044 wrote to memory of 660	2044	host.exe	48
PID 2044 wrote to memory of 660	2044	host.exe	48
PID 2044 wrote to memory of 2516	2044	host.exe	50
PID 2044 wrote to memory of 2516	2044	host.exe	50
PID 2044 wrote to memory of 2516	2044	host.exe	50
PID 2516 wrote to memory of 1056	2516	cmd.exe	52
PID 2516 wrote to memory of 1056	2516	cmd.exe	52
PID 2516 wrote to memory of 1056	2516	cmd.exe	52
PID 2516 wrote to memory of 2460	2516	cmd.exe	53
PID 2516 wrote to memory of 2460	2516	cmd.exe	53
PID 2516 wrote to memory of 2460	2516	cmd.exe	53
PID 2516 wrote to memory of 1676	2516	cmd.exe	54
PID 2516 wrote to memory of 1676	2516	cmd.exe	54
PID 2516 wrote to memory of 1676	2516	cmd.exe	54
PID 1676 wrote to memory of 1940	1676	host.exe	55
PID 1676 wrote to memory of 1940	1676	host.exe	55
PID 1676 wrote to memory of 1940	1676	host.exe	55
PID 1676 wrote to memory of 2820	1676	host.exe	57
PID 1676 wrote to memory of 2820	1676	host.exe	57
PID 1676 wrote to memory of 2820	1676	host.exe	57
PID 2820 wrote to memory of 2928	2820	cmd.exe	59
PID 2820 wrote to memory of 2928	2820	cmd.exe	59
PID 2820 wrote to memory of 2928	2820	cmd.exe	59
PID 2820 wrote to memory of 2648	2820	cmd.exe	60
PID 2820 wrote to memory of 2648	2820	cmd.exe	60
PID 2820 wrote to memory of 2648	2820	cmd.exe	60
PID 2820 wrote to memory of 3060	2820	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\EnigmaSRC.exe
"C:\Users\Admin\AppData\Local\Temp\EnigmaSRC.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1992
- C:\Windows\system32\SubDir\host.exe
  "C:\Windows\system32\SubDir\host.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2128
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\Ms0VIecaTAkv.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2772
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2776
  - - C:\Windows\system32\SubDir\host.exe
      "C:\Windows\system32\SubDir\host.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2964
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2808
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nhQNWOVHwFs6.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2624
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2216
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2800
      - C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:660
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iBD3Qzcby0gl.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1056
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2460
        
        C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1940
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\c0gBuOC9Ns5y.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2928
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2648
        
        C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3060
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2892
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nqiP7y65HKad.bat" "
        11⤵
        
        PID:2232
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1704
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3036
        
        C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1860
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:344
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hsOe9dKXjrmE.bat" "
        13⤵
        
        PID:1364
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1648
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:268
        
        C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2100
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1240
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\8w3SkIITHF8t.bat" "
        15⤵
        
        PID:880
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:280
        
        C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2476
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2056
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\J7ER78TATaea.bat" "
        17⤵
        
        PID:2128
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2652
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1660
        
        C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2772
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2124
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\W4KgS0zkaZjJ.bat" "
        19⤵
        
        PID:2860
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2616
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2564
        
        C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2352
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2604
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Hx4qrka6A6Bp.bat" "
        21⤵
        
        PID:3068
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2800
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3048
        
        C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1684
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1956
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWmpFeHxtE1W.bat" "
        23⤵
        
        PID:1596
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2516
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1944
        
        C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1940
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1144
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lI8MdT6EnI3R.bat" "
        25⤵
        
        PID:3064
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2160
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2248
        
        C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2912
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2660
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aA5r0iCgoeLy.bat" "
        27⤵
        
        PID:2380
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1752
        
        C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1744
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1648
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OP1VohdTifEa.bat" "
        29⤵
        
        PID:1240
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1344
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2384
        
        C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2532
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2432
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0UePqjaS2pmS.bat" "
        31⤵
        
        PID:1712
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:476
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1728
        
        C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2372
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        33⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0UePqjaS2pmS.bat

Filesize
194B

MD5
2da7a1b7d910eaaaabbb082b5d68a210

SHA1
91c30cd9d44bdbb6573b0db44fef2705340ae0f4

SHA256
35c91d23e5d10959de24d7234206906a496465d1695fd3a3ae4617f911670729

SHA512
c28a4ae32e2978058cdc92e5fd2fb78ae7b8cc453a9ebdd414853b939dff28a1fa7fea3a7ca3c891999a71b0ede41e3a899fbd00ecb222c5d20d3c4195a54b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\8w3SkIITHF8t.bat

Filesize
194B

MD5
6bf598298e9a4cbea70b28e8f0ead0ad

SHA1
bc687d37f684e02699f5f33c85be7d21c6b245de

SHA256
c5438709b9c3aded0f5460de98e799e19cbb3613230dbd9e9b3962e4f6bc6177

SHA512
88d91846ba9344a8afc4aee90542f5408b5712801e96e11b1a16c0918fbcac4a9af4b31e97306a4fad17a383ad14ccef40f83bb01abbf7ee3b87748f4cb0553d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hx4qrka6A6Bp.bat

Filesize
194B

MD5
b58d2077a7252bd60a2b7b72bad97c0b

SHA1
ec3c7f22947a408f383ab8eb5a7bf96bc25312b2

SHA256
9ec79282f24c9ef6602ec60c482e79bc1ac0859ab36278c988d3f720ad094416

SHA512
27242933bfb4a8bd57b9e7115de00f941abd8fec4d68b2fade32f4dffcf610df41cf9682674075a83a591a4ae837fc317d7031b7e2c07638c480914f275c2090

Download Submit
C:\Users\Admin\AppData\Local\Temp\J7ER78TATaea.bat

Filesize
194B

MD5
d7aac2468e91d9bebe92ca457bc4a5c9

SHA1
253a807a46c826d0ae346741d6abdcb5cc523d1b

SHA256
be71bfdf6209536545d7fd3fb2ff5081908e358e65b5fb09273ef055f881ca49

SHA512
846c7bc94ee63b9a147009cd64d0864f6dc33888c64e65876738d1a9a19c7983e41e0a5dbf395e319f916e72287368ea9a654bdf838e60d4820afc9cbdd832a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ms0VIecaTAkv.bat

Filesize
194B

MD5
be30bf4ca0722ebdb253e92c04da808c

SHA1
e1dfc0629e3cc960e7ab2e0cf0302f471af26630

SHA256
4beef075b1da5efb7b0338b50bade9f6385c17d2d1dd5479289be1e46eaefcbf

SHA512
174189ffeec51ef6c84905aed5289cbd7287a66d3e026b592863fa9df978eb629e5d9e5dd96b07c561cbcccd33c570b9d518d158997d251faf7c8084677f52ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\OP1VohdTifEa.bat

Filesize
194B

MD5
a4f5dff5fa8a3dce7c7f3da2cb9c3938

SHA1
29c4a090cd819dc8b539fd1308995dbe5299237b

SHA256
750d330294dbb225823c412ed69633718d785d525f63b12836bc44bd33e390c6

SHA512
e06e3aca3453d6cc14d6ad744adc23c24ee062a2bba14fa2828d3c3453b6f0c34bd7594fe26221df030276b74fe51b53bde56426c02b7d0cf5c327f4be990ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\W4KgS0zkaZjJ.bat

Filesize
194B

MD5
58e05a58e58c7700e9831658e4ca771c

SHA1
c1f3289103da3b5f02aac9ff6414f4886f9e8c20

SHA256
c5dee6eed502e641fbadf4816c9a17a38fad000dd8e065cac03cb43d44bbd2a6

SHA512
19f86f41396f0fdb77b37110fcd8a4485d9592deae3891f1d4177f0aca265b44a822b1463be10f021cb384db502e7a56d3babf4b8c707de02fffa30440fd319f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XWmpFeHxtE1W.bat

Filesize
194B

MD5
bd009164384639f6dd404308be9f1816

SHA1
6b356d48545b1ac6b71482517b1fcc5ab0effef4

SHA256
b6466fc784865a778ce4a324c2b1649ff98027f1b557e562b0d1174ae3606916

SHA512
f062e4654d9609ab40d06f80de110457b0c3ebb9448d058242700363ad667238aafa1bf9853524fd7c7148d4a1f6aa04c16b3d0665dd315214978256a74a2d60

Download Submit
C:\Users\Admin\AppData\Local\Temp\aA5r0iCgoeLy.bat

Filesize
194B

MD5
34f6dc0fd0acf32f210aa6870425f179

SHA1
043c715d21b536c310a7802bda67030045e09b09

SHA256
6f06701105f024be8b799862fbcb1305dbd2c6d62be6db43bb1ed2139b7c3c16

SHA512
7bb2e7d6344fd5b9f02e76261da918977bb2e6747e384f609520173760784c164a2aa8dd02315548352051ce51f91de93b6d0dc2cf7ca6d922e4f6a6b105ef49

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0gBuOC9Ns5y.bat

Filesize
194B

MD5
e014241cde183e11bdbb2cfcf65ecbd3

SHA1
733538603033e5303f8ac2c20dd3a97ca151363d

SHA256
d4d9c5583697f7a9e08723e6b135f7d3336cf6d35802b703cfe22a8d17fa93e1

SHA512
bc0fca7a24087e2abc7e0c87d91f624744f435fd0b05c034c13e11eec9738fd5f19a420c5f8fd77bc4b15d5b02e3d16fc36df3ce081ff8994aa18ef15676b953

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsOe9dKXjrmE.bat

Filesize
194B

MD5
30d0bd3bda0a6b86b3111ee20accbee2

SHA1
27ebf7b37412b48cdb1c3c682a20b6b3e603c150

SHA256
b6bf4f5452744dfe57897c5042b999171931cc646f5e45958cba430ec78c9ed3

SHA512
ad700fe34ffdacfdebf2fe758379f03638972a5f34a2b7ee950102886163dcbbbe933c95f77aa08271527452cf6c2aed9501220a2d9b5af6233cab62f23b63bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\iBD3Qzcby0gl.bat

Filesize
194B

MD5
2ab4412b2a5ee8c15f241687f0753c70

SHA1
34169b205cc2fa8e659f330ebae2bca0428f680e

SHA256
3e690323f02b0fcce2128eae50c6e488bc19c9a0e891658e8a67d8c77d901fa2

SHA512
5e2262d82d4adf4fe7050b7648922f2dda16fb52fe1ac8741998b85437fcdaaf1c359ac792e40a9e01b47962419b08c9c1f7818d4b97411becef5e0d01722f97

Download Submit
C:\Users\Admin\AppData\Local\Temp\lI8MdT6EnI3R.bat

Filesize
194B

MD5
78645442c8e5210ecefb42ee526545e3

SHA1
21148a03b89dcd3b43d48c2faf4ef8200be9e338

SHA256
5924a37d005f20ffcab226fcacbb332506a85882fe286c8115c2a5618b6e8c8b

SHA512
4603fc773140a1942c8fa75b407fab989acb073804c71570193176ca19f11fc36f106835c5eaeda1b8b3f1a6bd84c202b8a1e7e3a92cb2f7c1e14a6065a0467c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nhQNWOVHwFs6.bat

Filesize
194B

MD5
3d9edceb4f90c7674c4037460a2c3d93

SHA1
76b12a5d4ed45718340f20717fc8b8baf99d0bf2

SHA256
fff5f69fcf569dd305eb9b8662b3cfee73f09c2fb496e3266a05f25be87253f4

SHA512
1e18764c4a06c0102dc31aa6bde46e5c56172f08475f6b4ba5aa043e3e1e90987524dfc345d0db6fbc33a47e0900c58645d88cf84e3b3084a94e145d95798d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nqiP7y65HKad.bat

Filesize
194B

MD5
8066a6881390aacdf46291545f045c35

SHA1
567c6d7a2f16b3a69bbc611b1e2893a1cda7e12c

SHA256
1e8671cda9fc045ccb83d0354a55e83f02ff552d59cc05ffd96ce00b75f86c3f

SHA512
5bf4fdd23ea8c095399385ecb80bdc7413f8a1896942e421fd41584295f0e73f81a92dd84aae18ac837524f90e79ad741a2389b3c4fba87397799fcdfc72a7fb

Download Submit
C:\Windows\System32\SubDir\host.exe

Filesize
3.3MB

MD5
bf4ca8258fd2f4df510aa046bbf7b21c

SHA1
79fe2a2cd3df7f83a44c33d2a061d588a8238c07

SHA256
e5473833fb038cbdabc999603e62fb649050e727467e263e2ca90da92028a156

SHA512
aa29baddc0854ab283b14ad2ef1de9bca806576dccfcce4d92675220f5f7f9c4c4a5c6f3f88b6316d765749c4845013ab674cbc1574e9e252d3e179dd0d48828

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1684-121-0x0000000000960000-0x0000000000CB0000-memory.dmp

Filesize
3.3MB

Download
memory/1744-154-0x0000000000F50000-0x00000000012A0000-memory.dmp

Filesize
3.3MB

Download
memory/1860-65-0x0000000000160000-0x00000000004B0000-memory.dmp

Filesize
3.3MB

Download
memory/1940-132-0x0000000000BF0000-0x0000000000F40000-memory.dmp

Filesize
3.3MB

Download
memory/2040-21-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmp

Filesize
9.9MB

Download
memory/2040-8-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmp

Filesize
9.9MB

Download
memory/2040-9-0x0000000000080000-0x00000000003D0000-memory.dmp

Filesize
3.3MB

Download
memory/2040-11-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmp

Filesize
9.9MB

Download
memory/2100-77-0x00000000001C0000-0x0000000000510000-memory.dmp

Filesize
3.3MB

Download
memory/2472-10-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmp

Filesize
9.9MB

Download
memory/2472-2-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmp

Filesize
9.9MB

Download
memory/2472-0-0x000007FEF5523000-0x000007FEF5524000-memory.dmp

Filesize
4KB

Download
memory/2472-1-0x0000000000990000-0x0000000000CE0000-memory.dmp

Filesize
3.3MB

Download
memory/2476-88-0x0000000000100000-0x0000000000450000-memory.dmp

Filesize
3.3MB

Download
memory/2772-99-0x0000000000B80000-0x0000000000ED0000-memory.dmp

Filesize
3.3MB

Download
memory/2912-143-0x0000000000370000-0x00000000006C0000-memory.dmp

Filesize
3.3MB

Download
memory/2964-23-0x00000000010C0000-0x0000000001410000-memory.dmp

Filesize
3.3MB

Download